Lodius2000

Maybe not the right section feel free to move it I am creating a system in php that in the future I might consider selling it, possibly as a subscription service. Just wondering how programs lie vbulletin ensure that you are paying your bills, and how they punish you if you arent (ie hold on the account restricting access or other options?). Also how do they ensure you dont tamper with that part of their system (other than threatening legal action)

omg i hate myself i hate myself more for wasting all of your time. at the top of the codeblock function process_form(){ global $db; should be function process_form(){ global $db, $salt; variable scope can just bite me tonight

just made this, $hash and $hash2 are the same <?php require ('settings.php');//define $salt $password = 'blah'; $hash = hash("sha512",$password.$salt); print $hash."\n"; $hash2 = hash("sha512",$password.$salt); print $hash2."\n"; ?>

hash and $a are not the same, though they should be, I made a new account and tried this whole thing again still different if register.php hashes the pw before putting it in the db like this: (direct copy paste) $password = $_POST['password']; $hash = hash("sha512",$password.$salt); and $hash is created in the login script like this: (direct copy paste) $password = $_POST['password']; $hash = hash("sha512",$password.$salt); how am i getting different hash values

well thats just interesting vardump hash prints out the correct hash $a['password'] on the other hand prints out '6', which is the first character of the hash, but not the first character of id, the only numeric field in the table that doesnt contain 0 or 1

alright then that sounded like a passive request so here it is down and dirty <?php function process_form(){ global $db; $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); $a = $db->getOne("SELECT password FROM users WHERE username = ?", array($username)); if ($a['password'] == $hash ){ $_SESSION['username'] = $username; print "you have successfully logged-in "; print '<a href="changepw.php">Change Password</a>'; } else { $db->query("UPDATE users SET temp_usage = 1 WHERE username = ? and temp_password = ?", array($username, $hash)); $_SESSION['username'] = $username; header('Location: changepw.php'); } } ?>

this is the bane of using a database extraction... everytime i have a sql question on these forums, if I mention i use peardb i get no responses, because my sql looks weird. if I dont mention it and I try to make it look like i use the php mysql functions i invariably screw up and people correct my function usage. I know how to use my dba, I dont know how to use php's mysql functions but i try to fudge it. I think there is a problem with how my query result is interacting with my if() statement (possibly a sql problem all together so in my real script $q is fetched into an associative array, so the code looks as such if ($q['password'] == $hash) now to me that says, 'if the password entered in the form matches the password in the database, display a successful login', now to the else clause 'else the password entered in the form does not match the database then do the second query and redirect to the password changing script' right, or am i screwed up somewhere EDIT: CV it seems like you have changed your sig like 9 times tonight, all of them worthy of being up there for a quite a while, i was still laughing at the last one, now you have the stick pron joke

sorry cv supposed to be $q[0].... for some stupid reason I changed the variable for this forum, they do match up in my script though //repost of the code <?php $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); $q = mysql_query("SELECT `password` FROM `users` WHERE `username` = $username"); if ( $q[0] == $hash ){ $_SESSION['username'] = $username; print "you have successfully logged-in "; print '<a href="changepw.php">Change Password</a>'; } else { mysql_query("UPDATE `users` SET `temp_usage` = '1' WHERE `username` = $username and `temp_password` = $hash"); $_SESSION['username'] = $username; header('Location: changepw.php'); } ?>

This always redirects to changepw.php <?php $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); $q = mysql_query("SELECT `password` FROM `users` WHERE `username` = $username"); if ( $a[0] == $hash ){ $_SESSION['username'] = $username; print "you have successfully logged-in "; print '<a href="changepw.php">Change Password</a>'; } else { mysql_query("UPDATE `users` SET `temp_usage` = '1' WHERE `username` = $username and `temp_password` = $hash"); $_SESSION['username'] = $username; header('Location: changepw.php'); } ?> and the query that updates temp_usage, does not set it to 1 whats wrong

are you using cookies? are you closing the browser window, or quitting the program? if closing the window, is it a firefox tab, sessions persist from tab to tab in 1 firefox window

changing my thought process on this one... the code i posted is no longer relevant solved

switch all instances of $_REQUEST to $_POST in all of your scripts and change your form method to POST, unless you have anything that you must pass through your url like 'index.html?id=2', then you need to use $_GET to retrieve those variables. post passes all form variables silently to the form destination, get passes all of them in the url, request passes them all via either method, you dont want to see login.php?username=mikumus&password=yourrealpasswordinplaintext so you use post // read http://shiflett.org/articles/cross-site-request-forgeries for more or do a quick google search on dangers of $_request no on to your email... use my method, especially the $headers var because some mail servers if will toss it right into spam if you send an email without a relpy-to if you are getting a blank email then it means your '$title','$name','$tag','$country','$a.. isnt being passed to $m correctly for one you dont need the single quotes (correct me if im wrong forum) so $message=array($title,$name,$tag,$country,$address,$cap,$date,$prize,$ruleSet,$customRule,$detail); $message=implode(" ",$message); should do it

dont use $_REQUEST, makes hacking your site way too easy use this format if smpt is enabled on your server, this format will send an emai $to = $email; $subject = 'put your subject here'; $message = "put your message here"; $message = wordwrap($message, 70);// helps with formatting on the recieving end $headers = 'From: ' . $email . "\r\n" . 'Reply-To: ' . $email . "\r\n";//make sure to define your to/froms mail($to, $subject, $message, $headers);

ok i am trying to set up a system, that uses either a regular password or a temporary password, but will only use the temp password once a quick note, I use peardb so my queries look a bit weird in their punctuation, but i've commented it pretty well here is the pertinent parts of my db table CREATE TABLE IF NOT EXISTS `users` ( `id` bigint(20) NOT NULL, `username` varchar(14) NOT NULL, `password` varchar(128) NOT NULL, `temp_password` varchar(128) default NULL, `temp_usage` int(11) NOT NULL, `active` int(1) NOT NULL, ) and here is the page code <?php if($_POST['_submit_check']){ if($form_errors = validate_form()){ show_form($form_errors); } else { process_form(); } } else { show_form(); } function show_form($errors = '') { //print out an <ul> of the $errors array // contains html form with $_POST['password'] value in it } function validate_form(){//contains error checking global $db, $salt; /********************************/ /*this is where I need help with logic */ /********************************/ //determine whether user is valid and is changing temp_password or password $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); $a = $db->query("SELECT id FROM users WHERE username = ? AND password = ? AND active = 1", array($username, $hash));//you should be able to guess where these array vars go in the query if ($a->numrows() == 1 ){//$a->numrows() works EXACTLY like mysql_numrows $password_field = "password"; } else { $b = $db->query("SELECT id FROM users WHERE username = ? AND temp_password = ? AND active = 1 AND temp_usage = 0", array($username, $hash)); if ($b->numrows() == 1 ){ $password_field = "temp_password"; } else { $errors[] = "Please enter a valid username and password"; } } }//end validate_form function process_form(){ global $db, $password_field; $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); if ($password_field == "temp_password"){ $db->query("UPDATE users SET temp_usage = 1 WHERE username = ? and temp_password = ?", array($username, $hash));// temp_usage = 1 disallows using the temp password again $_SESSION['username'] = $username; header('Location: changepw.php'); } else { $_SESSION['username'] = $username; if (isset($password_field)){ print $password_field; } else { print "password_field not set"; } } }//end process_form ?> so this script upon login using the temp_password prints out "password_field not set", so somewhere up there in validate_form I made a boo boo but I cant spot it help...thanks

to both of you... thanks, that reaffirms me in the direction i was leaning, I didnt want to have more tables than needed just wanted to make sure a table with thousands of records wouldnt slow me down too much... solved

Which do you think (or do you know) is faster I am possibly taking up part of a project. It is to create a blog system for a larger website geared at having thousands of members, each with a blog among other things i am thinking of having all blog entries in one table like this, in its most basic form TABLE entries FIELDS id title entry_body username then we assemble each users blog from this query SELECT (id, title, entry_body) FROM entries WHERE username = $username or should I make a new table for each user TABLE $username_entries FIELDS id title entry_body SELECT * FROM $username_entries //SELECT statements might not always use * so take that in account of your speed estimate yes i know SELECT * statements are really fast, but i am thinking about the massive numbers of tables that mysql has to sift through before it even finds the correct one so my question is, is it faster to have thousands (if not hundreds of thousands) of entries in one table and use a WHERE clause, or is it faster to select one table from thousands and dump its contents? I just wanna know because I dont wanna necessarily clutter the database with oodles of tables unless there is a serious speed bonus thanks

Startlogic Web looks pretty good to me

ahhh! short tags = NO to initialize php != <? use <?php always

Cary... you sure 20 or 30, I work at home depot and the home improvers there can ask me about 30 different things in a few minutes

i agree ialsoagree, small haystack=faster than db but FromCary is taking the collective product descriptions of a home depot and putting them into individual textfiles, then storing an array with their names somewhere in a static text file and then linking to the a php file that loads the text file as an include, but Im sure the GET var searching througha huge directory of text files rather than loading 1 row from a db, I think in this case a db would be way faster

cron runs on linux servers, you host's tech support can probably help you set it up... it is a command to direct the internal browser of the server your site resides on to an address you choose. so you make a cron.php that does what you want it, usually db maintinence/backup and then point your cronjob there and it accesses the page whenever you want it to. rather than you having to go to your cron.php from your computer each day heres my cron script, it is run at 4am every morning and it backs up my db <?php include ('../../dbbackups/config.php'); $backupFile = '../../dbbackups/' . date("Y-m-d") . '.sql.gz'; $command = "/usr/bin/mysqldump -h$dbhost -u$dbuser -p$dbpass $dbname | gzip -c > $backupFile"; $backup =`$command`; ?>

correct me if im wrong but functions like in_array are wayyyyy slower than SELECT term FROM definitions_table WHERE term = $term //just trying to figure out how he would do the links if they linked to static files

yeah but that adds unneccesary overhead to the page load of an undeserving user, where a cron once/twice per day (based on traffic) would prune a db table before it got too large to actually slowdown the site, and it wouldnt be an extra load on a user but i see what you mean because if you are logging in for the second time since cron was last run, the db row with your name in it will probably have to be deleted anyway

also, if its an option, use a db, that way you can load a dynamic array of the list of terms, so that say 6 months down the line you realize the term 'pressure treated' was never included in the list of terms, so you have to go make a term page for it, then you have to append the list of terms, then ou have to make the link to that page... or with a db, you make a new row in the table term = pressure treated def = definition then on the terms list page, you SELECT terms FROM definitions_table foreach($terms as $term){ echo "<a href=\"path/to/terms/page.php?term=$term\">$term</a>"; } see how easy that was you spend a little more time on the setup (ie making a create_new_term.php) and the later on down the line becomes sooo much faster and easier hope that sways you

goin with what thorpe said... then you need a cron script to clean out that db table of all rows older than 5 mins so that that table doesnt get too huge